Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Client.exe' = '"<Full path to file>" ..'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'Client.exe' = '"<Full path to file>" ..'
- %APPDATA%\microsoft\windows\start menu\programs\startup\client.exe
- hidden files
- '%WINDIR%\syswow64\taskkill.exe' /F /IM wscript.exe
- '%WINDIR%\syswow64\taskkill.exe' /F /IM cmd.exe
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- http://oc##.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
- DNS ASK microsoft.com
- DNS ASK 0.###.ngrok.io
- DNS ASK oc##.thawte.com
- ClassName: '' WindowName: ''
- '%WINDIR%\syswow64\taskkill.exe' /F /IM wscript.exe' (with hidden window)
- '%WINDIR%\syswow64\taskkill.exe' /F /IM cmd.exe' (with hidden window)